Follow

How to Configure Your On-Premises Setup to Route Traffic to Silverline Proxies

Description

Before you can start routing traffic through Silverline Proxies, you must configure your on-premises setup with these steps.

 

Environment

  • Silverline DDoS Protection
  • Silverline WAF
  • Proxy/Proxies

 

Procedure

How to Configure Your On-Premises Setup

IMPORTANT: Before you can start routing traffic through Silverline proxies, you must complete these steps.

  1. Allow F5 Silverline IP Space (107.162.0.0/21, 107.162.104.0/23, 107.162.49.0/24, 107.162.56.0/22, 107.162.60.0/24 and 107.162.96.0/21unrestricted through any firewall or router. Ideally, you want to only allow the Silverline subnets, exclusively.  This will ensure that only Silverline-routed traffic can reach your network, and thus prevent attackers from being able to circumnavigate the Silverline infrastructure.
  2. Disable any type of rate limiting or mitigation gear as all connecting IPs will be F5 Silverline’s proxy IPs.
  3. Lower TTLs on all applicable DNS records
  4. Turn on HTTP keep alive in your webserver. This is important, as it reduces latency and server load. -- jump to Turn on HTTP KeepAlive for a step-by-step guide.
  5. Change your webserver logging to use X-Forwarded-For. This ensures that your web logs track who is attempting to access your website, as opposed to just tracking Silverline's proxy IP -- jump to Web Logging: Configure to Use X-Forwarded-For for a step-by-step guide.
    • Any application-based rules based off Source IPs should also be based off of X-Forwarded-For values.
  6. Provision and test VIPs,
  7. then cut over DNS to your newly assigned VIPs. 
  8. Prevent access from outside internet to your application, while still allowing Silverline traffic.

Webserver Optimization

Turn on HTTP KeepAlive

Turning on HTTP KeepAlive is important to both reduce latency and reduce webserver load.  Turning this on can yield load-reductions of 1000:1 ratio in relation to connections to your webserver as well as greatly improve the customer experience through reduced latency.

Apache  (httpd.conf)

<IfModule prefork.c>
StartServers 20
MinSpareServers 5
MaxSpareServers 20
ServerLimit 10000
MaxClients 5000
MaxRequestsPerChild 0
</IfModule>

Nginx  (nginx.conf)

# Timeout for keep-alive connections. Server will close connections after this time.

keepalive_timeout 300;

# Number of requests a client can make over the keep-alive connection. This is set high for testing.

keepalive_requests 100000;

IIS 6

  • Right click on web site and click on Properties
  • In the web site properties box check “Enable HTTP Keep-Alives” and set the timeout to at least 300 seconds.

IIS 7 / 7.5

  • Click on the web site
  • In the Features View, double click “HTTP Response Headers”
  • Click on Set Common Headers… in Actions panel
  • You should see HTTP keep-alive already checked.  If not, check it

 

Web Logging: Configure to Use X-Forwarded-For

Note: XFF Header insertion is only available with the HTTP, SSL HTTP or SSL HTTP OFFLOAD proxy service types.

Logging X-Forwarded-For (XFF)

When placing your webserver behind a reverse proxy such as F5 Silverline’s, it’s important to remember that the IP addresses that connect to you will no longer be the client on the internet but IP addresses of F5 Silverline’s proxy cluster. To ensure that visibility of who’s viewing your website is not lost in the web logs, it is important to configure logging on your webserver to use the X-Forwarded-For header as the source IP.

 

Apache (httpd.conf)

LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %V %D " proxy

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\" %V %D " direct

SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded

CustomLog logs/direct_access_log direct env=!forwarded

CustomLog logs/proxy_access_log proxy env=forwarded

 

Nginx (nginx.conf)

# configure log format   log_format main '$remote_addr - $remote_user [$time_local] '                   '"$request" $status  $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';

 

IIS 7 & later

Download (from the link below) and install IIS Advanced Logging.  Once installed, follow the steps below to add the X-Forwarded-For log field to IIS.

http://www.microsoft.com/en-gb/download/details.aspx?id=7211

1. From your Windows Server 2008 or Windows Server 2008 R2 device, open IIS Manager
2. From the Connections navigation pane, click the appropriate server, web site, or directory on which you are configuring Advanced Logging. The Home page appears in the main panel
3. From the Home page, under IIS, double-click Advanced Logging
4. From the Actions pane on the right, click Edit Logging Fields
5. From the Edit Logging Fields dialog box, click the Add Field button, and then complete the following:
-in the Field ID box, type X-Forwarded-For
-from the Category list, select Default
-from the Source Type list, select Request Header
-in the Source Name box, type X-Forwarded-For
-click the OK button in the Add Logging Field box, and then click the OK button in the Edit Logging Fields box
6. Click a Log Definition to select it. By default, there is only one: %COMPUTERNAME%-Server. The log definition you select must have a status of Enabled
7. From the Actions pane on the right, click Edit Log Definition
8. Click the Select Fields button, and then check the box for the X-Forwarded-For logging field
9. Click the OK button
10. From the Actions pane, click Apply
11. Click Return To Advanced Logging
12. In the Actions pane, click Enable Advanced Logging

 

Related Content

Was this article helpful?
2 out of 2 found this helpful
Have more questions? Submit a request